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BACKGROUND OF THE INVENTION 

1- Field of the Invention 

The present invention relates to a participation 
authority inana.geinent system for use in electronic access^ 
5 electronic bidding, electronic lottery, electronic petition, 
electronic voting or the like, 

2- Description of the Prior Art 

Conventionally, an anonymous participation system using 
blind signature has been studied. Blind signature refers to 

10 a system in which a signer signs without seeing the signed 
contents. For example, in the case of electronic voting, data 
Involved in the participation is the voting contents of the 
voter himself /herself . 

Thus, electronic voting can be conducted as follows. 

15 First, a participant subsystem (presenter) authorized to vote 
proves before a manager subsystem that the presenter is 
authorized to vote and then has the manager subsystem sign the 
voting contents by section of blind signature. 

A voting statement with the signature of this manager 

20 subsystem affixed is sent to a verification subsystem. The 
verification subsystem regards the voting statement submitted 
with the signature of the manager subsystem as a voting 
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statement sent by an eligible voter. To prevent an identical 
participant subsystem from participating in an identical 
voting session two or more times, it is determined that voting 
data which varies from one participant subsystem to another 
5 should be used and that the manager subsystem should issue a 
blind signature to each participant subsystem only once. 

In the case where voting contents with the same signature 
are sent, this makes it possible to determine that the same 
''■Q participant subsystem has attempted to vote twice. Since 

-5-; 

Iji 10 blind signature is used, even the manager subsystem cannot know 
to which participant subsystem the voting statement with the 
signature has been issued, which makes it possible to maintain 
:™ anonymity. 

Likewise, an electronic voting system using anonymous 
iU 15 certificates with blind signature is also under study. In the 
conventional example above, the participant subsystem needs 
to have the manager subsystem Issue a blind signature every 
time the participant subsystem participates in voting, that 
is, for every voting session* Therefore, the following 
20 describes a conventional case where a participant subsystem 
can participate in electronic voting any number of times with 
a single registration procedure ♦ 

First, the participant subsystem proves before the 
manager subsystem that the participant subsystem is a 
25 participant subsystem authorized to anonymously participate, 
then has the manager subsystem sign its own public key by 
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section of blind signature . The public key with this signature 
of the manager subsystem affixed is called "anonymous 
certificate" . 

Next, the participant subsystem signs the voting contents 
5 with its own secret key and sends the signed voting contents 
and the anonymous certificate to a verification sub&y&tem. 
The verification subsystem confirms that the anonymous 
certificate submitted is a public key with the signature of 

Q 

:g the manager subsystem affixed and that the signature of the 

""■•4 

10 voting statement can be correctly verified based on this public 



key, and when the confirmation is obtained, regards this as 
a voting statement sent by an eligible voter- VJhether an 
identical participant subsystem has not participated in an 
identical voting session more than once is confirmed by the 
15 absence of other voting statements based on the same anonymous 
certificate . 

Use of blind signature makes it unknown even to the manager 
subsystem to which participant subsystem an anonymous 
certificate has been issued, which makes it possible to 

20 maintain anonymity* However, if an identical participant 
subsystem votes in two voting sessions using an identical 
anonymous certificate, it will be revealed that the same 
participant subsystem has participated. 

Next, group signature will be explained below. This is 

25 a system in which even if two or more signatures are affixed 
using an identical anonymous certificate, whether the same 
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signer has signed or not is kept concealea. This technique 
is described in detail in a paper called "Efficient group 
signature schemes for large groups" in the international 
conference CRYPTO '97 by J, Camenisch and M. Stadler. 
5 First, the participant subsystem proves before the 

manager subsystem that the participant subsystem is a 
participant subsystem that belongs to a group authorized to 
participate anonymously and then has the manager subsystem 
issue a group secret Icey. 

10 Next, data to be sent is signed with this secret key and 

the signed data is sent to the verification subsystem. 

The verification subsystem confirms that the data 
submitted has a signature verifiable by a group public key 
affixed and when the confirmation is obtained, this can be 

15 regarded as the data sent by a participant subsystem belonging 
to an eligible group. Use of group signature makes it 
impossible to identify the particular participant subsystem 
in the group to which the group secret key used for generating 
each signature is belonged, which makes it possible to maintain 

20 anonymity - 

However, with this system even if an identical participant 
subsystem has sent data more than once to an identical session^ 
there is no way to verify whether the two signatures are affixed 
by using an identical group secret key or not, and therefore 

25 this system cannot be used for applications such as electronic 
voting which must prevent double voting. 
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A technology similar to group signature is escrow 
identification « which is described in detail in a paper called 
"Identity Escrow" in the international conference CRYPTO '98 
by J. Kilian and E. Petrank, However, this technology does 
5 not provide section for determining whether two identification 
information pieces are issued from an identical participant 
subsystem or not, either* 

A technology called '^subgroup slgnatura' is available. 
,g which Is a technology using group signature whose number of 

10 signatures is equal to the number of different participant 
subsystems. This technology is described in detadl in a paper 
called ""Some open Issues and new directions in group 
signatures" in the international conference Financial 
Cryptography '99byG. Ateniese and G, Tsudik- However, since 
15 all participant subsystems provide signature for common data, 
this technology cannot be used fox voting in which data to be 
sent varies from one participant to another. 



SUMMARY OF THE INVENTION 

As described above, there is no conventional technology 
20 that would allow a participant to participate in a plurality 
of sessions by a single registration procedure, detect whether 
there already exists data from the same participant, and 
conceal a participation relationship between sessions even if 
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the participant participates In a plurality of aeselona 
without this being detected, so as to be used for electronic 
voting and electronic bidding* 

In the conventional technology where data to be sent is 
5 signed by section of blind signature , It is necessary to conduct 
registration processing for every session, while the 
conventional technology using an anonymous certificate is 
unable to conceal a participation relationship between 
sessions « group signature or escrow identification is unable 
10 to verify session participation by an identical participant, 
and the technology using subgroup signature is unable to allow 
:5 each participant subsystem to create participation data 

independently. 

The present invention has been achieved by taking into 
15 account the points described above and it is an object of the 
present Invention to provide an anonymous participation 
authority management system in which a participant authorized 
to access or participate in a plurality of sessions can 
participate anonymously without the participant's name or 
20 participating relationship between the sessions being 

revealed, whereas it is possible to determine whether the same 
pax-ticipant has participated more than once in the same 
session. 

In other words , the present invention provides an 
25 anonymous participation authority management system allowing 
participants to participate in a plurality of sessions with 
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a single registration procedure, detecting any identical 
participant who has participated in an identical session more 
than once, and yet concealing a participation relationship 
between sessions ^ so as to be used for electronic voting, 
5 electronic bidding, and the like. 

According to the present invention, a system includes: 
a participant subsystem that is authorized to anonymously 
participate in a plurality of sessions using secret 
P information; and a reception subsystem that determines whether 

"'^4 10 it is acceptable for the participant subsystem to participate 
vH in a session, wherein the participant subsystem includes an 

^ anonymous signing section for authorizing individual data 

using the secret Information depending on session-related 
information to produce anonymous participation data with 

'-'^ i 

15 anonymous signature, and the reception subsystem includes: an 
Q anonymous signature determining section for determining 

whether received data is anonymous participation data with 
anonymous signature authorized by the participant subsystem: 
and a sender* match determining section fox* determining whether 

20 anonymous signatures of arbitrary two pieces of anonymous 
participation data are signed by an identical participant 
subsystem. 

The anonymous signature may include data that is generated 
by a predetermined expression using the session-related 
25 information and the secret information, wherein the sender 
match determining section checks the data included in the 
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anonymous signature of received anonymous participation data. 
The predetermined expression may be represented by raising a 
session- dependent base to a power that is dependent on the 
secret information. 
5 According to a first embodiment of the present invention, 

the anonymous signing section may include: a generator 
creating section for creating a session-dependent generator 
depending on the session-related information; a group signing 

O section for signing the individual data using the session- 

10 dependent generator and the secret Information to produce 

IjI anonymous participation data, wherein the anonymous 

participation data includes data obtained by raising the 

Q 

" session-dependent generator to a power determined by the 

r: secret information; and a linkage data generating section for 

iXI 15 generating linJcage data indicating a relationship among the 
Q session- dependent generator and a generator determined by the 

individual data and/or the session-related information. 

The secret Information Is represented by {jc. y, v) that 
satisfies: v = + S) mod n, where y ^ mod n , n Ls a. product 
20 of two prime numbers as used in the RSA cryptography, is a 
generator that generates a cyclic group of order n, is an 
integer mutually prime to zj, © is an integer mutually prime 
to the Euler number of n, and S is a constant other than 1, 
the generator creating section creates a session- 
2 5 dependent generator -7^ corresponding to a session A and a 
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generator ^r^ is generated based on the individual data m and/ or 
the session 

the group signing section sets -z- = ^r^^and generates a first 
proof statement 

proving the Knowledge of a satisfying ^ = ^^^^^^^^ ' and a second 
proof statement 

t^^ = SKROOTLOG(^*^^\£r,,0)[p: ^*£r,» = p'^(P*)](l) 
proving the knowledge of p satisfying ^g^^ = 



N 10 the linkage data generating section sets = ^/ , and 

m 

IJl generates a third proof statement 

t/3= SKREP(^i/^, ^./^J[Y= ^i/^ =(P^/J9:i)n(l) 
proving the Knowledge of Zj. and z have the same power to the 
bases ff„ and respectively, wherein the anonymous 
15 participation data is defined as m, z, z^, V^, V^, K3) , In 
this case, the anonymous signature determining section checks 
^ ^ha anonymous participation data 'to determine 
whether received data Is anonymous participation data with 
anonymous signature authorized by the participant subsystem. 
20 The sender match determining section checKs z of the anonymous 
participation data to determine whether anonymous signatures 
of arbitrary two pieces of anonymous participation data are 
signed by an identical participant subsystem. 

According to a second embodiment, the anonymous signing 
25 section may include: a generator creating section for creating 
a generator depending on the session-related information; and 
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a group signing section for signing the individual data using 
the generator and the secret information to pxoduce anonymous 
participation data, wherein the anonymous participation data 
includes data obtained by raising the session-dependent 
5 generator to a power determined by the secret information. 

In the case where he secret information is represented 
tiy y> ^) that satisfies: v ^ (j^ + S)^""" mod n, where y = 

^ mod n, the individual data is denoted by m, iJ is a product 
of two prime numbers as used in the RSA cryptography, ^ is a 
10 generator that generates a cyclic group of order n, a is an 
integer mutually prime to ^, e is an Integer mutually prime 
to the Euler number of n, and & is a constant other than 1, 

the generator creating section creates a session- 
dependent generator corresponding to a session A» 
15 the group signing section sets z = ^^^and generates a first 

proof statement 

= SKLOGLOG(^,^^,<s) [a:^ = ^T^t '^"J ] (m) 
proving the knowledge of a satisfying z ^ and a second 

proof statement 

20 = SKROOTLOG(^*^/,^r,,e) [p: z*g^ = P:i^P*J](m) 

proving the knowledge of P satisfying z^gj* = ^^(P*)^ wherein 
the anonymous participation data 13 is designated as (A, 

According to a third embodiment of the present invention, 
25 the anonymous signing section may include: a generator 

creating section for creating a session-dependent generator 
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depending on the session-related Information; an escrow 
identifying section for signing the Individual data using the 
session-dependent generator and the secret information to 
produce anonymous participation data, wherein the anonymous 
5 participation data Includes data obtained by raising the 
session -dependent generator to a power determined by the 
secret information; and a linkage data generating section for 
generating linkage data indicating a relationship among the 
session -dependent generator and a generator determined by the 

10 individual data and/ or the session-related information. 

The secret information is represented by (a, h) that 
satisfies b - (<3' - 6)^'* mod n, where ^ is a product of two prime 
numbers as used in the RSA cryptography, ^ is a generator that 
generates a cyclic group of order n, ^ is an integer mutually 

15 prime to e is an integer mutually prime to the Euler number 
of n, and 6 is a constant other than 1, 

the generator creating section creates a session - 
dependent generator corresponding to a session A and a 
generator i7« is generated based on the individual data m aud/or- 

20 the session 

the escrow identifying section sets = and 
generates a first proof statement 

- SKROOTLOG(^,,^^,0) [a: - ^^(^*)]C1) 

proving the knowledge of a satisfying = and sets 

and generates a second proof statement 
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proving the knowledge of p satisfying = ^^^^"1 , and 

the linkage data generating section sets 2^ = SfJ^^^^ and 
generates a third proof statement 

= SKREP(^^/^,, £r^/^J[Y; ^J^, = {3rJ ST^Vi {!) 
5 proving the knowledge of and having the same power to the 
hases and gt„, respectively, wherein the anonymous 
^ participation data is defined as (A, m. z^, z^, z^, V^, V^, V^) , 

In this case, the anonymous signature determining section 
determines whether z^^z^ = is satisfied and checks V^, V^, 
10 and of the anonymous participation data to determine whether 
received data is anonymous participation data with anonymous 
Q signature authorized by the participant subsystem. The sender 

- match determining section checks one of z^ and z^ of the 

anonymous participation data to determine whether anonymous 
15 signatures of arbitrary two pieces of anonymous participation 
data are signed by an identical participant subsystem. 

According to a fourth embodiment of the present invention, 
the anonymous signing section may include: a generator 
creating section for creating a session -dependent generator 
20 depending on the session-related information; apd an escrow 
identifying section for signing the individual data using the 
session-dependent generator and the secret infonnation to 
produce anonymous participation data^ wherein the anonymous 
participation data includes data obtained by raising the 
25 session-dependent generator to a power determined by the 
secret information . 



4 = 
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Th6 secret information is represented by £>) that 

satisfies ^> = (a* - 6)^^* mod n, where ^ is a product of two prime 
numbers as used in the RSA cryptography, ^ is a generator that 
generates a cyclic group of order ^ is an integer mutually 
5 prime to n, g is an integer mutually prime to the Euler number 
of n, and 5 is a constant other than 1, 

the generator creating section creates a session- 
dependent generator corresponding to a session A, 

the escrow identifying section sets z. and 
10 generates a first proof statement 

Vy^ = SKROOTL0G(^^,^^.e) [a: = ^^^^''M (m) 
proving the knowledge of a satisfying z„ « . and sets z^, 

and generates a second proof statement 

« $KROOTIiOG(^^.^^.©) [p: z^ = ff^^^^^Mm) 
15 proving the knowledge of P satisfying = 9a^^^^ ' wherein the 
anonymous participation data is defined as {A, m, z^, z^, 



BRIEF DESCRIPTION OF THE DRAWINGS 



20 



PIG. 1 is a block diagr-am showing a configuration of an 
embodiment of a participant subsystem according to the present 
invention; 
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FIG. 2 is a block alagram snowing a configuration of an 
embodiment of a reception subsystem according to the present 
invention ; 

FIG. 3 Is a block diagram showing a configuration of an 
5 embodiment of a system according to the present invention; 

FIG. 4 is a block diagram of a participant subsystem 
showing a configuration of a first embodiment of an anonymous 
signature function according to the present invention; 

FIG. 5 is a block diagram of a participant subsystem 
10 showing a configuration of a second embodiment of an anonymous 
signature function according to the present invention; 

FIG. 6 is a block diagram of a par-ticipant subsystem 
showing a configuration of a third embodiment of the anonymous 
signature function according to the present invention; and 

15 FIG, 7 is a block diagram of a participant subsystem 

showing a configuration of a fourth embodiment of the anonymous 
signature function according to the present invention. 



DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
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In order to clarify tne objects, features and advantages 
of the present invention, embodiments of the present invention 
will be explained in detail below with reference to the attached 
drawings. A schematic system according to an embodiment of 
5 the present invention is shown in FIG. 1 to FIG. 3. FIG. 1 
shows a participant subsystem 101 and FIG. 2 shows a reception 
subsystem 102* FIG. 3 shows a conceptual diagram of the 
system. 

5J For example, in the case where this anonyinous 

si 10 participation authority management system is applied to a 

Jl- 

voter management system in electronic voting, the participant 
O subsystem corresponds to a voter subsystem and each eligible 

voter is given secret information from a manager subsystem 
beforehand and the reception subsystem performs voting 
^•^l 15 reception. 

:^ A session corresponds to each election event (nation- 

wide election, local government election, etc.) and 
session-related infommation includes information specifying 
the election session and is information common to all or a 

20 certain range of voters (e.g., voters in the same election 
administrative area), and individual data is voting data, 
which varies from one voter to another. 

Unlike conventional ^digital signature" in which a signer 
name is identified, in anonymous signature", a signer name 

25 is not identified and remains anonymous, but the "anonymous 
signature" indicates that it assures (authorizes) as a 



2001 01/19 FRI 16:19 FAX 03 3288 3222 Ktsuragi Patent FOLEY & LARDNER i018/057 



FQ5-511 . 16 

signature that data has been certainly created hy an anonymous 
person who has participation authority and has not been 
tampered by other people. There are two kinds of digital 
signature systems, one in which data to be signed is expressly 
5 separated from signature data, and the other in which data to 
be signed is indirectly included in signature data. Thus, 
suppose the anonymous signature, or participation data with 
an anonymous signature assigned described here includes data 
Q subject to anonymous signature. 

Q 10 With reference to FIG. 1 and FIG. 2, this participant 

subsystem 101 has secret information 10 given by communicating 
beforehand with the manager subsystem 100 in seicret 
information retaining section 20, generates anonymous 
participation data 13 obtained by authorizing through the 
15 anonymous signature function 21 session-related information 
11 of the session in which the participant wants to participate 
and individual data 12 which is to be entered in the session 
in which the participant wants to participate using a secret 
key 10 retained in the secret key retaining section 20 and 
20 anonymously sends this anonymous participation data 13 to the 
reception subsystem 102. 

The reception subsystem 102 receives this participation 
data and verifies through the anonymous signature verifying 
section 30 that this includes the individual data authorized 
2 5 by the participant subsystem authorized to anonymously 
participate in the relevant session. 
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Than, It is determined whether the participant previously 
participated in the session or not using the sender match 
determining section 31 that determines whether the received 
participation data is sent or not by the same participant 
5 subsystem that sent the participation data. 

In the case of voting, if the participant did not 
participate before, the relevant participation data sent is 
accepted and if the participant participated before, this is 
O accepted and notified. 

-4 10 Or it is also possible to receive all verified data first 

m 

Ifl and then accept only the data that the sender match determining 

;i section 31 has confirmed that the sajne participant subsystem 

'■^ is not found in the received pax-ticipation data , 

]^ In other cases such as bidding, it is also possible to 

fij 15 accept only the data involved in the first participation or 
Q validate the latest participation data or select only one from 

the participation data of the same participant subsystem and 

validate according to a certain standard. Of course. 

verification of participation data using the anonymous 
20 signature verifying section can be performed at any time after 

reception. 

Furthermore* in the case where this anonymous 
participation authority management system is applied to a 
bidder management system of electronic bidding; the 
2 5 participant subsystem corresponds to a bidder subsystem and 
each eligible bidder is given secret information from the 
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manager subsystem beforehand and the reception subsystem 
performs bidding reception. 

The session corresponds to each bidding item, 
session-related information includes information that 
5 specifies the bidding session and is information common to all 
bidders , and individual data corresponds to bidding data which 
varies from one bidder to another. 

For example, in the case where this anonymous 
n participation authority management system is applied to an 

if: 

10 applicant management system in electronic lottery, the 

participant subsystem corresponds to the applicant subsystem, 
each eligible applicant is given secret Information from the 
manager subsystem beforehand and the reception subsystem 
performs application reception, 
15 The sesdion corresponds to each lottery item, 

session-related information includes information that 
specifies the lottery session and is information common to all 
applicants , and individual data corresponds to application 
data which varies from one applicant to another . 
20 FIRST EMBODIMENT 

As shoxm in PIG. 4 , a case where group signature is applied 
will be described as a specific example. Operation of this 
embodiment will be explained below. 

As group signature, a system which J. Camenisch and M. 
25 Stadler introduced in a paper called "Efficient group 
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signature sctiemes for large groups" in the International 
conference CRYPTO '91 is known . 

As described in the above document, common constants 
3, e, n, b) are required where /? is a product of two prime numbers 
5 as used in the RSA cryptography, ^is a generator that generates 
a cyclic group of order n, is an integer mutually prime to 
n, d is an integer mutually prime to the Euler number of n, 
and 6 is a constant other than 1 . 

I a 

■,Q Then, the manager system 100 generates these common 

\l 

iY% 10 constants and designates the prime factor of Ji as the secret 

m 

fj information of the manager system. The method of generating 

:^ these common constants is described in detail in the above 

document . 

Given the above common constants a, e, 8) , each 

15 participant subsystem 10 1 communicates with a manager system 
that knows the prime factor of n and thereby acquires secret 
information 10 (jsr, jr, v-) that satisfies: 
V = (j^ + 6)^^" mod n 
where y ^ a' mod 
20 Here, as the method of acquiring the secret ' information 

(jf, z) , the manager system may generate all the information 
and distribute it to participant subsystems, or each 
participant subsystem may present only y while keeping x a 
secret and have the manager system calculate v from y, 
25 Furthermore, it is also possible to acquire the secret 
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Information (j^, y, xr) by using a blind signature teclinique 
without even revealing jr. 

Then, the proof system which will be used below will be 
explained first . 
5 SKREP(jr,5r)[a: y = ^] <m) 

means proving the knowledge of a satisfying y ~ ^ using {y, 
g, m) , where m is an arbitrary number. 

SKLOGLOG(r,p',a) [a: y - ] (m) 

means proving the knowledge of a satisfying y ^ g^^^^ using 
10 {y, a, m) , where m is an arbitrary number. 
Next, 

SKH0OTL0G(j^.ir,e) [ot: y - ] (m) 

means proving the knowledge of a satisfying y using 
{y. g. /n) , where m is an arbitrairy niimber. 
15 Since the method of creating a specific proof statement 

and the method of verifying the proof statement are described 
in detail in the above doc\iment, and these methods are not 
directly related to the present invention, they are not further 
described here- 

20 Then, the calculation as shown in FIG. 4 will be carried 

out as the anonymous signature function 21 using session 
management information A (11) and individual data m (12). 

First, a generator g^, corresponding to session A is 
acquired by the generator creating section 52 and then g„ is 

25 generated by g„ » Hash(-OT) . 
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Tnen, tne group signing section 51 sets z =» g/ and 
generates a proof statement 

proving the knowledge of a satisfying 2 ^ and a proof 

statement 

proving the knowledge of P satisfying z'^^ff^ - ^^^P*^ » 

Here, constant 1 to be input to SKLOGLOG and SKROOTLOG 

Is given as session-related information and is a constant to 



10 become tbe output from the external data inputting section 50, 
\ Then, the linkage data generating section '53 sets z^ = 

g/ and generates a proof statement 

H proving the knowledge of z-^ and z have the same power to the 

ry 15 bases g„ and gj^, respectively. 

O 

1^ As the output of the above processing, participation data 

13 is designated as {A, m, z, 2^, V^, F^, V^) . In the case where 

A is apparent, A need not particularly be added to the 

participation data. 
20 Furthermore^ in the generator creating section 52, g^ can 

also be given as part of the session-related information or 

it can be generated as = Hash(^). 

The reception subsystem that has received this 

participation data 13 acquires gj^ from A and confirms through 
25 the anonymous signature verifying section 30 that the 

certification statements V^, V2 and V^^ are valid. 
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Then, when the same z exists In a plurality of 
participation data, the sender match determining section 31 
can determine that these participation data have been sent by 
the same participant subsystem. This is because z included 
5 in the participation data from the same participant subsystem 
is identical with respect to the same session irrespective of 
the value of the individual data 

As shown above, when the participant subsystem 
participates in a different session using the same secret 
ijl 10 information 10 (jr, y, v) , the linkage is not ascertained 
\^ (because it is difficult to discriminate numbers obtained by 

raising different bases to same power from numbers obtained 
;L by other calculations). When the participant subsystem 

=^ participates in the same session, it is possible to construct 

iy 15 an anonymous participation authority management system In 
\^ which the linkage is ascertained. Furthermore, a system of 

invalidating the issued anonymous participation secret 
information is also described in the above document • 

Furthermore, it is easy for those skilled in the art to 
20 think of variations of the above system. For example, even 
if ff„ is generated by ff„ = Hash(^| I^ti) through the generator 
creating section 52, the effect remains unchanged. Here, " | 1 " 
denotes concatenation. Furthermore, if and ^ are 
generators over a finite field, which is uniquely determined 
25 by A and m, respectively, or ^ or -4 and /n, and g-^ need not 
use any hash function. Moreover, constant (1) is used as an 
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example of the output of the external data inputting section 
50 to generate V^, and V^, but any number or any variable 
such as ffj^, ffjf,, ^and z can be used if agreed to do so beforehand. 
Furthexinore , it is also possible to change the manner in 
5 which and are used by the generator creating section 52. 
For example, the generator creating section 52 may generate 
^„ = Hash(;77) from individual data m, and generate by = 
Hash(>4) using session-related information ^. Next, the group 
signing section 51 may set z;^ = ff/ , and generate a proof 
T\ 10 statement = SKLOCLOG{js^,gt„.&)[ai = £r^t^°J](l) proving the 

knowledge of a satisfying 2^ =« ^a^^*^ . and a proof statement 
= SKROOTLOG(^,*^^\^,,e)[p: 2^*sr^^ = ^T^^^ P") ] ( 1 ) proving the 
=^ knowledge of p satisfying z^^ff^ = gj^^^^ - Finally, the linkage 

'■^ data generating section 52 may set = g/ and generate a proof 

y 15 statement = SKREP(2r3/^-3, gjg^)i^i ^j/^z ° (5^^/^^)'] ( 1 ) proving 

^ the knowledge of z^ and -z-^ having the same power to the bases 

g„ and respectively. The participation data 13 is then 
designated as (A, w, z^, z^, V^, v^, V^) , However, the effect 
remains the same. 
20 In this case, the sender match determining section 31 will 

check whether z^ in the participation data duplicates . 

SECOND EMBODIMENT 
Furthermore, there can also be an example seeking to 
improve the efficiency. An anonymous signature function 21 
25 using session management information A and individual data m 
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will be explcLxned with reference to the participant subsystem 
lOlA in FIG. 5, 

Referring to FIG. 5, the generator creating section 52 
acquires a generator corresponding to session A, Next, the 
5 output from ttio external data Inputting section 62 is set to 
The group signing section 61 sets z = g/ and generates a 
proof statement 

= SKLOGLOGt^^p-^,*?) [a: z « ^^^^^'^hCm) 
proving the knowledge of a satisfying z = ffjS^^^ . and a proof 
10 statement 

V, = SKROOTLOG{^*i?:,\ir^,a)[P: ^-^^STa =^^<P*^](m) 
proving the knowledge of p satisfying z*^^ =^^(P*), The 
participation data 13 is designated as (A, m, V^, V^) , In 
the case where A is apparent, A need not particularly be added 

15 to the participation data* Furthermore, can also be given 
together with A or generated as = Hash(^). 

In this case, the participation data is not only shortened 
but it is necessary to verify the validity of only proof 
statements J^^ and the anonymous signature 'verifying 

20 section 30, which will improve the efficiency. Moreover, the 
output from the external data inputting section 62 need not 
be made dependent solely on the individual data but can also 
include session management information A, if it is also 
included during verification, 

25 THIRD EMBODIMENT 
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The system can also be designed based on an escrow 
identification system. The escrow identification technique 
is described in detail by J. Kilian and E. Petrank in a paper 
called "Identity Escrow" in the international conference 
5 CRYPTO '98. 

In this example, as described above, common constants 
a, e, n, b) are required where /2 is a product of two prime numbers 
used in RSA cryptography, ^ is a generator that generates a 
Q cyclic group of order a is an integer mutually prime to the 

jl 10 Euler number of /?, o is a constant other than 1, Then, the 

manager system generates these common constants and designates 
™ the prime factor of n as the secret information of the manager 

system* 

Given the above common constants g, n, 8), each 

15 participant subsystem communicates with a manager system that 
knows the prime factor of n and thereby acquires secret 
information 10 (s, b) that satisfies b = (a* - 6)^^* mod n. 

Here, as the method of acquiring the secret information 
(<3, b) , it is possible for the manager system to generate all 
20 the information and distribute it to participant subsystems 
or it is possible to acquire the secret information (a, b) by 
even hiding a using a blind signature technique . 

In the following example, supposing an anonymous 
signature function 21 using session management information A 
25 and individual data m, the following operation is performed 
by the participant subsystem lOlB as shown in FIG, 6. 
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Referring to FIG. 6. a generator corresponding to 
session A is acquired by the generator creating section 52 and 
then is generated by ST^ - Hash(-w) . 

Next, the escrow identifying section 81 sets = ^^f'^*'^ 
5 and generates a proof statement 

= SKROOTLOG{-2f,.^^,a) [a: - 5r^(-^')](l) 
proving the knowledge of a satisfying z^ = STa^^^^ . and sets -z-^, 
= and generates a proof statement 

= SKROOTLOG(-^^,5r^,e) [P: = 
10 proving the knowledge of p satisfying 2-^ = 

Then, the linkage data generating section 53 sets = 
and generates a proof statement 

proving the knowledge of jt, and having the same power to the 
15 bases and respectively. The participation data 13 Is 
designated as (A, m, z^, z^, z^, v^. V^, t^) . In the case Where 
A is apparent , A need not particularly be added to the 
participation data. Furthermore, can be given as part of 
the session-related information or it can also be generated 
20 as = Hash(-<4). 

The reception subsystem that has received this 
participation data 13 acquires from A and confirms through 
the anonymous signature verifying section 30 that z„l » 
is satisfied and proof statements V^, and ,are valid, 
25 Then, when the same exists in a plurality of 

participation data, the sender match determining section 31 
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can determine that these participation data have been sent by 
the same participant subsystem. This Is because Included 
In the participation data from the same participant subsystem 
is identical with respect to the same session irrespective of 
5 the value of the individual data m. 

Furthermore, even if the sender match determining section 
31 detects Zf, instead of the same effect is obtained. 

As shovm above, when the participant subsystem 
participates in a different session using the same secret 

10 information 10 (i3, to^ , the linkage is not ascertained (because 
it is difficult to distinguish numbers obtained by raising the 
different bases to the same power from numbers obtained by other 
calculations). It is possible to construct an anonymous 
participation authority management system in which the linkage 

15 is ascertained when the participant subsystem participates in 
the same session. Furthermore, unlike the aforementioned 
example, the efficiency is Improved by using only SKROOTLOG, 
which is more efficient than SKLOGLOG. 

Furthermore, a system of invalidating the issued secret 

20 information for anonymous participation is also discussed in 
the above document . 

Furthermore, it is easy for those skilled in the art to 
think of variations of the above system. For example, even 
if is generated by ^„ « Hash(i4| \m) through the generator 

25 creating section 52, the effect remains unchanged. Here, " | | " 
denotes concatenation. Furthermore, if and g„ are 
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generators over a finite field, which, is uniquely determined 
toy A and n?, respectively, or ^4 or ^ and /n, 9m need not 

use any hash function. Moreover, constant (1) is used as an 
example of the output of the external data inputting section 
5 50 to generate V^. and l^j, but any number or any variable 
such gj^, y and z can be used if agreed to do so beforehand. 

Furthermore, it is also possible to change the manner in 
which g„ and g^^ are used by the generator creating section 52 . 
For example, the generator creating section 52 may generate 
10 g^ by gj^ = Hash(-*4) using session-related information A, and g^ 
= Hash(777) from Individual data;??. Next , the escrow identifying 
U section 81 may set and generate a proof statement 

=» SKROOTLOG(^^,^„,d) [a: z^ = g^^^*"^ ] (1) proving the Knowledge 
of a satisfying z^ and set z^ and generate 

15 a proof statement =- SKROOTLOG(^^,^^, a) [p : z^ - ^^t^'Md) 
proving the knowledge of P satisfying z^^ = ^^f**"). 

Finally, the link data generating section 53 may set 

= gA^^^^ ^"^^ generate a proof statement = SKREP(^^/^,, ^J9m^ [Y- 
zj z„ =(^^/^^)M ( 1) proving the knowledge of z^ and z^ having the 
20 same power to the bases g^ and gj^, respectively; The 

participation data 13 is then designated as {A, m, z^^ z^,^ z^, 
K> ^^a) • However, the effect remains the same* 
In this case, the sender match determining section 31 will 
check whether z^ in the participation data duplicates . 
25 FOURTH EMBODIMENT 
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Furthermore, there can also be an example seeking to 
improve the efficiency- An anonymous signature function 21 
using session management information A and individual data m 
will be explained with reference to the participant subsystem 
5 lOlC in FIG* 1. 

Referring to FIG- 7, the generator creating section 60 
acquires a generator corresponding to session A. 

Next, the output from the external data inputting section 
■ 62 is sat to m. The escrow identifying section 91 sets = 

\ 10 ^^<«) and generates a proof statement 
! = SKROOTLOG(^,.^^.s) [a: = sr^t"") ] (m) 

f proving the knowledge of a satisfying = 

(a°) . 

and sets 

a ^^(P*) and generate a proof statement 

= SKROOTLOG(^^,^^,a) [p: - ilr^^P'^ ] (m) 

J 15 proving the knowledge of P satisfying = The 
f participation data 13 is then designated as {A, z^, z^, V^, 

V2) - In the case where A is apparent, A need not particularly 
be added to the participation data. Furthermore', can also 
be given together with A or generated as = Hash(^). 
20 In this case, the participation data is not only shortened 

but it is necessary to verify the validity of only proof 
statements and V2 anonymous signature verifying 

section 30, which will improve the efficiency. 

Another merit of this example is that secret information 
25 specific to the reception system is not necessary in the 
anonymous signature verifying section and sender match 
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determining section. Therefore, if all participation data is 
disclOBed to the public in order to verify the validity of 
electronic voting, everybody can verify that all participation 
data are votes of valid eligible voters and no identical 
5 eligible voter has performed double voting. Such a system can 
also be applied to an electronic petition. 

In electronic bidding, there can be such illegality that 
a reception system receives a plurality of participation data 
(bidding data] from a specific participant subsystem and 

10 leaves the most advantageous data from among those data later. 
In this case, even if everybody can use the sender match 
determining section, it is not possible to detect this 
illegality. In this case, before unsealing (that is, before 
it is found which data is advantageous), the received 

15 participation data is identified and made unchangeable or a 
receipt for the received participation data is Issued in a form 
dependent on the previous participation data, and if the 
participation data is deleted, there will be a mismatch with 
the receipts of other participants, thus disclosing the 

20 illegality. 

This embodiment is introduced as an operation on a general 
number field, but it is obvious to those skilled in the art 
that even if this embodiment is read as an operation on an 
elliptic curve or as an operation on another group or field, 

25 the same effect can be obtained. 
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It ±s appax-ent that the present Invention is not limited 
to each of the above embodiments but can be modified in various 
manners without departing from the spirit and/or ^cope of the 
technological concept of the present invention . 
5 As described above, the present invention provides an 

anonymous participation authority management system that 
allows a participant subsystem to anonymously participate in 
a plurality of sessions with a single registration procedure 
with a manager subsystem so as to be made available for 
10 electronic voting or electronic bidding^ while concealing the 

m 

Iff participation relationship between sessions, and that allows 

iQ 3. reception subsystean to verify that the participation data 

is data sent by an eligible participant subsystem authorized 
to participate and identify any duplicate participation data 
15 from the same participant subsystem. 
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